Add authenticated MCP server, oauth-proxy for chai-bot write access#82041
Add authenticated MCP server, oauth-proxy for chai-bot write access#82041arnavmeduri wants to merge 1 commit into
Conversation
|
[REHEARSALNOTIFIER] Note: If this PR includes changes to step registry files ( |
WalkthroughAdds public and authenticated MCP deployment paths, OAuth proxying, token-based service-account authorization, protected ingress routing, and trusted delegation configuration for the Ship Status dashboard. ChangesProtected MCP access
Estimated code review effort: 3 (Moderate) | ~20 minutes Sequence Diagram(s)sequenceDiagram
participant Client
participant Ingress
participant oauth-proxy-mcp
participant ship-status-mcp-auth
Client->>Ingress: HTTPS request to protected MCP hostname
Ingress->>oauth-proxy-mcp: Route traffic to port 9443
oauth-proxy-mcp->>ship-status-mcp-auth: Forward authenticated request to port 8091
ship-status-mcp-auth-->>Client: MCP response
Suggested reviewers: 🚥 Pre-merge checks | ✅ 15✅ Passed checks (15 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
Hi @arnavmeduri. Thanks for your PR. I'm waiting for a openshift member to verify that this patch is reasonable to test. If it is, they should reply with Tip We noticed you've done this a few times! Consider joining the org to skip this step and gain Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: arnavmeduri The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@clusters/app.ci/ship-status-dash/dashboard/deployment.yaml`:
- Around line 199-275: Update the ship-status-mcp-auth and oauth-proxy-mcp
container definitions to satisfy the Kubernetes container requirements. Add
securityContext entries with runAsNonRoot, readOnlyRootFilesystem,
allowPrivilegeEscalation, and dropped ALL capabilities; add CPU and memory
requests/limits to oauth-proxy-mcp; and add a livenessProbe for oauth-proxy-mcp
while preserving its existing readinessProbe.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository YAML (base), Central YAML (inherited)
Review profile: CHILL
Plan: Enterprise
Run ID: fee977bb-1c3f-4532-b1a7-8cd6a250035b
📒 Files selected for processing (6)
clusters/app.ci/ship-status-dash/dashboard/deployment.yamlclusters/app.ci/ship-status-dash/dashboard/ingress.yamlclusters/app.ci/ship-status-dash/dashboard/mcp-server-serviceaccount.yamlclusters/app.ci/ship-status-dash/dashboard/rbac.yamlclusters/app.ci/ship-status-dash/dashboard/service.yamlcore-services/ship-status/dashboard-config.yaml
Adds the config for chai-bot to create and manage outages through an authenticated MCP endpoint. The authenticated MCP receives requests through its own oauth-proxy, then calls the dashboard's protected API using a dedicated service account token.
Changes:
clusters/app.ci/ship-status-dash/dashboard/mcp-server-serviceaccount.yaml:mcp-serverwith long-lived token secret for authenticating to the dashboard's oauth-proxyclusters/app.ci/ship-status-dash/dashboard/deployment.yaml:MCP_MODE=publicto existing MCP, addship-status-mcp-authcontainer, addoauth-proxy-mcpcontainer, addmcp-server-tokenvolumeclusters/app.ci/ship-status-dash/dashboard/rbac.yaml:ship-status-mcp-serverClusterRole/Binding grantingnamespaces/getso the MCP SA passes the dashboard oauth-proxy's SAR checkclusters/app.ci/ship-status-dash/dashboard/service.yaml:clusters/app.ci/ship-status-dash/dashboard/ingress.yaml:protected-mcp.ship-status.ci.openshift.orgto TLS hosts and routingcore-services/ship-status/dashboard-config.yaml:trusted_delegatorswith the MCP server SA, addchai-botas a user on all componentsSummary by CodeRabbit
Configures Chai-bot to create and manage Ship Status outages through a protected MCP endpoint.